[67329] in North American Network Operators' Group
Re: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Sun Feb 8 12:13:24 2004
In-Reply-To: <4025FBDA.1040905@outblaze.com>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 8 Feb 2004 18:12:46 +0100
To: Suresh Ramasubramanian <suresh@outblaze.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 8-feb-04, at 10:05, Suresh Ramasubramanian wrote:
>> Coming up with new types of probes all the time to check for this
>> would be a huge amount of work.
> Would that be any less work than clearing up the mess left by an
> infestation of DDoS zombies? :)
Apples and oranges. You need to clean up the zombies regardless of
whether they succeeded in attacking the victim or they were stopped.
>> I favor an approach where people no longer get to send data at high
>> speed without the recipient's approval. Just sending data in the
>> blind or any type of scanning could then trigger a severe rate limit
>> or raise an alarm.
> It is fairly easy to work around rate limits by just scaling
> laterally, and compromising a few million more boxes. If the next
> virus grabs 4M, or 20M boxes instead of just a measly 2M boxes, you
> can rate limit all you like, bit it really won't help.
Help against what? You're right that if a million boxes send one 125
byte packet per second to the same place, that's still a gigabit worth
of traffic, that particular place is going to receive a gigabit worth
of traffic. But how are you going to infect a million boxes if you can
only scan one address per second?
And let's not be so blase assume that all DoS attacks are done with a
million zombies at a time.
